Tag Archives: data loss

Del Brazil turns his well-experienced eye to the Wetherspoons customer data breach and asks some questions about how data was being managed, given how long some of this data had been retained by Wetherspoons.

It has been recently reported that the Pub chain JD Wetherspoon has admitted that card data of 100 customers has been stolen from a database after it was hacked. Weatherspoon’s have stated that “Very limited” credit and debit card information was accessed in the hack in June and that the information could not be used as part of any attempted fraud. Weatherspoon’s further stated that personal details, including names and email addresses may also have been stolen from more than 650,000 people.

The Information Commissioner’s Office has been notified of the breach, which only came to light recently and is investigating accordingly.

The hacked database contained customer’s details which included names, dates of birth, email addresses and phone numbers; however the 100 affected whose card data was stolen had apparently bought Wetherspoon vouchers online between January 2009 and August 2014.

“Only the last four digits of payment cards were obtained in the hack as the remaining digits were not stored in Wetherspoon’s database” said John Hutson, Weatherspoon’s Chief executive. None of the card data stored by Weatherspoon’s was encrypted because other associated details were not stored on the database.

A letter to those customers whose details may have been hacked advises them to “remain vigilant for any emails that they are not expecting that specifically ask you for personal or financial information, or request you to click on links or download information”.

Despite an email warning being received about the suspected breach little if anything was done to further investigate the possibility of a hack taking place. The email warning may have been captured by a spam filter and either quarantined or automatically deleted dependent upon the settings of the relevant servers.

Mr Hutson said that the hack has occurred between 15th and 17th June and there was no evidence that fraudulent activity had taken place using the hacked data from the database. Yo40 1jdHe added: “We have taken all necessary measures to make our website secure again following this attack. A forensic investigation into the breach is continuing.”

Serious questions need to be asked of Wetherspoon’s as to why they were retaining customer data for such a long period time in fact well past the time for which it was intended to be used for. Further investigation should establish as to how and why the data was retained for such a long period of time and again one of the main data protection principles is at the forefront of the author’s mind. If the data was being retained for an appropriate reason and with the individual’s permission was there sufficient security measures in place to safe guard against and/or deter would be hackers.

Weatherspoon’s have already given a clear indication that they fully intend to keep their retention of personal data to a minimum, as stated by founder and Chairman Tim Martin. Is this likely to be to satisfy the ICO, well in essence, yes, as it does show a clear intention to limit the amount of personal data being retained by Weatherspoon’s; although once the ICO investigation has been completed it is likely that a number of requirements and/or recommendations will be imposed by the ICO.

It is of the opinion of the author that should the ongoing investigation by the ICO highlight significant failings by Weatherspoon’s in the protection of customer data then a fine should be imposed that is in line with the seriousness and size of the breach. The ICO may take a dim view of this breach as it likely to flaunt one of the key data protection act principles in that Weatherspoon’s may have been storing customer data for longer than necessary and may have not afforded the information the appropriate level of security measures.

Currently there is no legal requirement for companies to report data breaches and/or losses to the ICO; however this is likely to change in the very near future. In the author’s opinion that each and every company has a moral obligation to not only report the breach or loss of personal data to the individual concerned but also to any recognised institute, such as the ICO, so that improvements on data protection can be pushed forward by looking at previous failings.

The rise and rise of BYOD, the discovery that Ebay is not the appropriate place to divest yourself of NHS Patient data and the increase in malware and not just any malware – mobile malware. These were a few of my (least) favourite things of 2013.

It may seem churlish to poke a stick at the rise of the enormously populist BYOD but its actually connected to the concern around the rise of mobile malware. 2013 saw Blackberry drop off the business cliff and Android devices rise to start to fill the gap. According to the latest stats from Gartner 4 out of every 5 devices in the last quarter were Android powered (driven by growth in China). This proliferation has a knock on effect because this means more employees with be BYODing with Android devices and also more business are choosing them as their business issued device. At the same time, we are reading that Android devices are the top target for malware and malicious apps. I recently heard BYOD described as ‘anarchic chaos’. Let’s see what epithet we can come up with after another year of Android malware…

Looking at Ebay as the place to send your old drives full of (personal) data…hopefully everyone has learned some massive lessons from this incident in Surrey NHS and will be doing due diligence on whoever they procure/source to carry out the destruction of this kind of data in future. Remember, any organisation that has certified to a standard like ISO27001 will welcome an audit so they can prove to you how seriously they take IS processes. This can offer some kind of reassurance and form part of that due diligence.

‘Cyber’ has been a headline grabber all year for many different reasons. Some of the time has been related to the NSA and GCHQ revelations and so Cyber could also have meant privacy. Some of those headlines have related to Cyber Security and the Government commitment to getting UK PLC fully on board with knowledge, understanding and protection. Of course, “hacker” is another word rarely out of the headlines and previously on this blog I have taken issue with media use of both of these words. Largely because it can be misleading, I won’t bang on about it again and you can read the previous blog post if you choose. However, I do think that this continued laziness will encourage people to think that security is an IT issue and therefore, someone else’s problem as opposed to a business issue that needs to be addressed at C-Level.

Phishing and Spear Phishing continue to bleep away on every Security professional’s radar. Whilst scatter gun phishing may not be growing especially, its clear that targeted or spear phishing is increasing. This also relates to my previous point about ‘hacking’ and ‘cyber’ as frequently these can be pre-emptive strikes for a full on attack or part of a broader Social Engineering attack to facilitate or enable a hack or cyber attack. If you want to read more or hear more about that then you can read our posts here and see our presentation here.

The phishing issue is a serious business and employees need proper and regular training on what these attempts look like and how to deal with them. That is not just your standard phishing attempt from someone telling you your bank account is compromised (I had an amusing one recently from Honestly Barclays Security), but a sophisticated phish from soemone who has obtained your email address and is trying to pass themselves off as someone else in order to gain access of information. This requires bespoke training from an employer. Software or a firewall may not protect you from them…

Lastly how our physical world interacts with our cyberworld. 2013 saw Google Glass arrive and the invention of a whole new insult, Glassholes (not mine, don’t shoot the messenger). Some misgivings and some misunderstandings around Google Glass merely serve to remind us that though we are raising a generation that thinks nothing of handing over their privacy in order to get a free app or free wi-fi, there are still enough people concerned about the march of technology ahead of security to make pursuing secure progress worthwhile.

We also saw the mainstream expansion of household items that are web enabled and several furores over TVs that apparently spy on their owners. Add to the list fridges and cars for next year and lets see what else is either causing ‘spying’ headlines or is being hacked by cybercrims. In the business world, smart buildings with IP security and building management systems are becoming increasingly aware of the threat from cyberspace. You can watch our presentation on the topic here. You will need sound. Making sure we buy secure security systems sounds mad, but actually it isn’t happening enough. These systems are sat on networks, needing firewalls and patching and anti virus just like our other systems. We cannot assume because a system is a security system then it is inherently secure.

Remember, everyone in an organisation is part of that organisations’ security. An information asset might be an email or electronic document, but it might also be a fax, a cardboard file,a piece of paper or an overheard conversation about intellectual property. They all have to be protected and a firewall isn’t going to cover it all.

This morning bought Security News stories from around the globe as usual. One jumped out at me, not because it was unusual but because the wording highlighted to me some dangerous assumptions and errors in thinking that we are guilty of.

oops there goes the sensitive data. Image courtesy of freedigitalphotos.net

The story was about a temporary worker at a hospital who had sent letters which contained highly sensitive childrens data, to the wrong addresses. Apparently the temporary workers who had made this series of errors had not received any DP training. The story explained that the ICO had given a warning that “even temporary staff should have Data Protection Training”

Bear with me. Last year another breach occurred in a hospital when a temp worked downloaded a large batch of patient data onto a data stick and took it home to work on. Apparently on this occasion it was assumed that Data Protection training had been done by someone else.

Firstly, assuming someone has had training in something is always dangerous. Surely if you are going to allow temporary workers access to such sensitive data it is a must have. Secondly, is it appropriate for a temporary worker to have that access? Obviously this will vary by incident or role.

Its not just the NHS, businesses make this mistake too. I have seen temporary workers who have had no vetting, logged into networks by well meaning employees on their own login credentials. There they have been able to access any sensitive data they wished and the trusting employee has handed over that organisation’s data to someone who may well damage, steal or sell it.

Back to my original point, to say that ‘even’ temporary workers should have Data Protection training seems a bit like looking the wrong way down a telescope. Surely we should be saying temporary workers especially need Data Protection training?

Like this:

We have today released version 3.0 of the popular and helpful ISO/IEC 27001:2013 mapping tool. This compares and maps controls, clauses and other areas from the 2005 version against the new 2013 version and vice versa.

The new version of the tool sees some additional information around documents and records.

It is available FREE from the Advent IM website either via our Latest News page or via the dedicated ISO27001 page

In the last week I have received around twenty phishing emails. These have varied from Linkedin connection requests, to Bank Account reset instructions and Paypal alerts that my security had been compromised…the irony of the last one did not escape me. In this period, I also took a worried phone call from a friend who had been called by someone who said they were working on behalf of Windows and that his PC needed to be remote cleansed and could they have access to it please…. they gave him a fake website address and refused a phone number for call back, then hung up. Its a scam that has been doing the rounds since about 2008 ( I’m sure you’ll correct me if I’m wrong!) He was working from home at the time and connected to his businesses network.

So in the first cases of the emails, it was fairly clear to me that these were phishing attempts. They were not targeted at me or at Advent IM specifically, just chancers doing what chancers do. The Paypal email was the most disturbing because it was better designed than the others. In all cases though, a brief visit to my Linkedin inbox, online bank account and paypal account respectively (and not through the ‘helpful’ links offered in the phishing emails) proved that each were fake and I reported them. It made me wonder how many businesses actually train their staff in recognising them as security threats and how to subsequently deal with them. I saw a debate on Linkedin recently about holding individual employees responsible for security breaches and terminating their employment as a result. It included a poll. Many felt that if adequate (no definition included, sorry) training were supplied and a properly enforced and educated policy were in place, the breach was felt to be a result of employee negligence and therefore they should be held accountable. ‘Adequate’ is a relative term I appreciate, I do feel however that it should include ‘regular refresh and update’ within it as well as regular review of the scope – threat changes.

The other part of the example I mentioned at the start was altogether more sinister. This was an individual actually picking up the phone and posing as an IT expert, offering a free service on behalf of a household name. It is easy to see how many people could be duped by this. Working at home in this case, means that the person was connected to their company’s email systems and information network. Luckily, the person concerned smelled a rat and asked awkward questions which resulted in the phishers exiting as quickly as possible. Not everyone might realise this was actually an attack and the result could be not only the loss of their personal information or even financial compromise but also potential compromise of their employers network. In this case, no training had been given in spotting an attack of this kind. If the individual involved had not realised this was nefarious, would it be fair to penalise them? After all this kind of attack was not included in the ‘adequate’ security awareness training they received.

This IT support approach was also employed in the recent attacks on Barclays and Santander, when an individual actually entered branches of those banks and installed or attempted to install desktop cameras to enable a hack. The individual was posing as an IT repair engineer in both cases. It is far more targeted and part of a concerted campaign. Phishing emails are also sometimes targeted toward individuals, again normally part of a broader campaign and not a scatter-gun phishing expedition to see who bites. This is more aligned to the Social Engineering approach. Specific information or access will be the target and so it differs from the mainstream approach and by definition makes it far more difficult to quantify and therefore provide training for awareness. That doesn’t mean that we shouldn’t do it. Particularly if we are keen to move down the road toward individual accountability.

Incidentally if anyone is interested in watching a video in which the ‘Windows/Microsoft” scammer tries it on the wrong person…..click here